This is part 2 of a training blog series on Auditing Standards No. 5. This is made for you to easily understand the sections without the heavy-reading of over a hundred pages. This training will give context to SOX 404 requirements.
If this is something new to you and may need some introduction, it is best that you view part 1 here.
Part 2 will cover the following sections of the Auditing Standards No. 5 (AS5)
Paragraph 10 of AS5 is about the risk assessment that the auditor has to do. They are the following:fr
- Determination of significant accounts, disclosures, and relevant assertions
- Selection of controls that you want to test
- Determination of the evidence necessary for a given control
The next paragraph basically says that in doing the assessment, the auditor needs to focus on the areas of highest risk. If in the auditing process there is an area that is likely to have deficiencies or mistakes, it is not always necessary to test the control or areas if it will not result in a material mistake in the financial statements.
An example is having a petty cash account that is $500. Whether it is $500 or $200, it shouldn’t be a big deal. The risk that is misstated is very high, but for $500, there are very few organizations, where $200 or $300 is going to be material to the financial statements.
Paragraph 12 also explains that risk assessment depends on the complexity of the organizations, the business units, or the processes. As an auditor, your judgement on when or not to test certain areas will play an important role.
This section is somehow an extension of risk assessment. You can scale the audit for the areas that are not risky. Doing this is just right-sizing the amount of work, which is a response to those complaints about how SOX 404 cripples the company and uses so many resources that may not add value to small public companies.
The concept of risk-based approach was also introduced in Paragraph 12 of AS5 that was mentioned in the previous section. It is related as well to scaling the audit because it promotes not about having a fixed checklist of things every company should follow, rather it’s about starting from the top risk, identifying what’s the biggest risk, and then deciding what to do.
One of the most popular fraud issues was the Enron Scandal, and this is why it is such a huge topic. As an extension of planning the audit, paragraph 14 essentially says that auditors must actively consider the risk of fraud and material misstatement.
In here, the focus is around material misstatement of the financial statement due to fraud, not FCPA or other similar types of laws. It talks about the controls you specifically have to address or highly likely to address.
Some of the controls that auditors should look into are the following:
- Controls over significant transactions that are outside the normal course of business
- Some clients have a special process or a special section carved out for non-routine transactions. This is where you should look into because most significant transactions are recorded through journal entries, recorded later in the close process, and with the involvement of senior management.
- Controls over journal entries and adjustments made in the period-end financial reporting process
- Some of the things to look in here are journal entries and adjustments. It’s important to know the person who prepares and who approves.
- Controls over related party transactions
- This is looking over the transactions of subsidiaries or shell companies that were basically related to each other. Here, making money is possible by selling to yourself, and this could be the reason for related party transactions.
- Controls related to significant management estimates
- This is focusing on AR reserve and E&O or excess and obsolete inventory reserve. This is where significant judgment of senior management comes in.
- Controls that mitigate incentives for and pressure on management to falsify or inappropriate manage financial results
Paragraph 15 of AS5 also explains that in identifying the deficiencies in controls, auditors are guided by Auditing Standard No. 12 Identifying and Assessing Risks of Material Misstatement.
The key message here in part 2 is about how to prevent another Enron or WorldCom from happening again.
This is the end of part 2 of the Auditing Standards No. 5. If you want to learn more, proceed to Part 3 – Work of Others and Materiality.